Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Invalid SPDX License" after upgrading JSTS package #575

Open
mprins opened this issue Sep 27, 2023 · 4 comments
Open

"Invalid SPDX License" after upgrading JSTS package #575

mprins opened this issue Sep 27, 2023 · 4 comments
Assignees
Labels
Keep Exempt this from stalebot

Comments

@mprins
Copy link

mprins commented Sep 27, 2023

After upgrading the JSTS package from 2.10.0 to 2.11.0 we're getting the message that it has an "Invalid SPDX License" "(EDL-1.0 OR EPL-1.0)" (the license information has not changed in 7 years

We're using the following configuration

  dependency-review:
    name: 'Dependency Review'
    if: ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v4

      - uses: actions/dependency-review-action@v3
        with:
          deny-licenses: GPL-2.0+, AGPL-3.0+

see https://github.com/B3Partners/tailormap-viewer/actions/runs/6323648494?pr=484 for the logs/output.

Do you have any hints or ideas?

possibly related to #559

@febuiles
Copy link
Contributor

I've reproduced this succesfully in https://github.com/future-funk/cuddly-octo-bassoon/actions/runs/6330878481/job/17194265977?pr=1. My guess is that our SPDX parser is having issues with OR expressions, but I will need to take a closer look. Will report my findings back!

@mprins
Copy link
Author

mprins commented Sep 28, 2023

thanks for looking into this.

I'm not sure what the authorative source is for license keys, but I see it is lacking from https://spdx.org/licenses/

The EDL-1.0 key was rejected as described on https://wiki.spdx.org/view/Legal_Team/License_List/Licenses_Under_Consideration for being identical to BSD-3-Clause.
Still, none of these are recent changes...

@febuiles
Copy link
Contributor

@mprins The list of licenses for NPM, Maven and Composer was recently refreshed. I'm guessing that since this is an older package there was no license set for it before. Thanks for the EDL pointer, I'll see if we can get this updated.

@febuiles
Copy link
Contributor

I updated the license for [email protected] by asking ClearlyDefined to harvest the package. Although the invalid EDL license was removed, the resulting expression is still marked invalid by the SPDX parser. Sample run here: https://github.com/future-funk/cuddly-octo-bassoon/actions/runs/6330878481/job/17558844147

@febuiles febuiles added the Keep Exempt this from stalebot label Feb 20, 2024
@febuiles febuiles self-assigned this Mar 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Keep Exempt this from stalebot
Projects
None yet
Development

No branches or pull requests

2 participants